5 Tips for Improving Your Small Business Cybersecurity

Cloud computing has made it possible for today's small businesses to work from anywhere, on any device. They can transfer files easily between computers with DropBox, video-conference across the country with Skype, and work from their smartphones and tablets without stepping foot in the office.

But as some business owners have learned the hard way, the tradeoff for these collaborative benefits is the potential for a serious data security breach. Cybersecurity experts shared their thoughts on best IT practices and tips for improving your security policies.

Control your admin access

Research has shown that unmanaged administrator privileges are some of the biggest IT security threats to an organization. Yet many small businesses still don't take the time to set up the proper access limitations for non-admin employees, especially when those workers are using their own devices. [7 Top Cybersecurity Risks for Business]

"Security policies and mechanisms must be put in place for company data access from personal devices," said P.J. Gupta, CEO of enterprise mobility management firm Amtel. "Tight control on who has the privileges to run which enterprise apps from which devices helps minimize the risk of data loss or corruption."

Keeping a close eye on your data is important, but don't waste precious resources on high-level security for everything. James Bindseil, CEO of file-transfer software company Globalscape, advised taking a layered approach to security.

"Not all [IT] activities are equal," he told Business News Daily. "Apply different security classifications when connecting with a trading partner than you would for the general public or internal employees."

It's important to apply the appropriate level of security to the right population, but don't forget about any of them, since hackers are most likely to go in through weak areas, Bindseil said.

Ask about cyberinsurance

In the last several years, cyberinsurance policies have become an increasingly popular option for small businesses looking to protect credit card information, customer names and addresses, and other sensitive data stored in online systems. Cyber-risks aren't typically covered under general liability insurance, so it's important to find out what types of coverage are available to you.

"Cyberinsurance is not a one-size-fits-all product," said Tim Francis, enterprise cyber lead at Travelers Insurance. "It's hard to identify what a 'small' business is when it comes to the world of cyber. Traditional measures like revenue and number of employees aren't good indicators of how much [risk] a company has in terms of data breaches. A small company can have very big exposure."

Cyberinsurance isn't a necessity for every business, but if you think it's something you need, be sure to speak with your insurance agent about your options.

Secure personal devices, but don't over-monitor

Allowing employees to use personal devices for work means you'll need some kind of monitoring system in place to protect any company data they're accessing. But being too strict and overbearing with your policies won't sit well with employees, who may feel that their privacy is being invaded.

"Earn the trust of your employees by implementing privacy policy that only allows monitoring of [work-related functions] on their devices," Gupta said. "Personal communications, contacts, apps and data should be out of bounds for any monitoring application. Avoid rigid policies in blacklisting and blocking apps on the device, and ensure that personal content is not wiped without employee permission."

If a data breach does occur and a personal device needs to be investigated, Francis recommended handling the situation very delicately. Get your HR and legal teams involved to ensure that the employee's private data isn't compromised in the process.

Have a process in place

The proper security software and tools will certainly guard against data breaches, but technology alone isn't necessarily the answer to your cybersecurity issues.

"When you're small, you try to throw technology at a problem," Bindseil said. "The real solution is a combination of people, process and technology."

A lack of established, consistent process for dealing with security issues may cause people to try to work around the technological safeguards, Bindseil said. Therefore, designing a system that keeps data secure while facilitating employees' work is key to ensuring that your workers follow security protocols.

Francis agreed, noting that all security policies should be agreed upon, clearly written out and shared company-wide before employees begin using their own devices.